Security

Security disclosure policy

How to report security vulnerabilities in Qhalent's systems, and what to expect from us when you do.

Qhalent Cyber LLP is a cybersecurity practice. We take the security of our own systems seriously, and we welcome reports from security researchers who identify potential vulnerabilities.

How to report

If you have identified a security vulnerability in any Qhalent system or service, please report it to us at:

Email
security@qhalent.com

When reporting, please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce, including any required configuration or context
  • The affected system, URL, or component
  • Any proof-of-concept code, screenshots, or supporting material
  • Your name and how you'd like to be acknowledged (if at all)

What you can expect from us

When you submit a report in good faith, we commit to:

  • Acknowledge receipt of your report within two business days
  • Investigate the report and validate the vulnerability
  • Keep you informed of our progress and remediation timeline
  • Credit you publicly for the disclosure (with your permission) once the issue is resolved
  • Not pursue legal action against researchers who comply with this policy and act in good faith

What we ask of you

To act in good faith under this policy, we ask that you:

  • Give us a reasonable time to investigate and address the vulnerability before publicly disclosing it
  • Avoid actions that could harm our systems, our clients, or the privacy of users — including denial-of-service attacks, social engineering, or accessing data beyond what's necessary to demonstrate the vulnerability
  • Do not modify, delete, or destroy data
  • Do not exploit the vulnerability beyond what's needed to validate it
  • Provide us with a reasonable opportunity to coordinate disclosure timing

Scope

This policy applies to:

  • The qhalent.com website and any subdomains
  • Qhalent-operated email systems
  • Qhalent-developed software and services explicitly identified as in scope

The following are out of scope:

  • Third-party services we use (e.g., Cloudflare, Google Workspace) — please report directly to the relevant vendor
  • Issues that require physical access to Qhalent premises or equipment
  • Social engineering attacks against Qhalent staff or clients
  • Vulnerabilities in client systems (please report through the client's own disclosure channel)

Out-of-scope findings we're not interested in

  • Missing security headers without demonstrated impact
  • SSL/TLS configuration issues that do not reduce real-world security
  • Self-XSS or attacks requiring full control of the victim's machine
  • Reports from automated scanners without independent validation
  • Login-page username enumeration where no rate-limiting bypass exists

Recognition

We're a small practice and not currently operating a bug bounty programme with monetary rewards. We will, however, publicly acknowledge researchers who responsibly disclose verified vulnerabilities — with your permission and to the degree of public recognition you prefer.

PGP and encryption

For especially sensitive reports, please request our PGP key via the security email above. We'll respond with current key material.

security.txt

This policy is also published in machine-readable form at /.well-known/security.txt, following RFC 9116.